Logstash Grok - Extract field if field exists & deleting character

gringorion · July 23, 2021, 2:31pm

Hello Guys,

My case is simple, but can't find the perfect response.

I need to extract the field: user@domain into 2 fields.
This step is OK:
%{WORD:user}%{NOTSPACE:domain}?
gives:

{
  "user": "user",
  "domain": "@domain"
}

This domain field is not present all the time, so I may have only user, this is why I have the ? character:

so the field: user
gives

{
  "user": "user"
}

with the same Grok Pattern

What I don't succeed to do, is to delete the @ in domain field when this field is found, using the same pattern in both cases.

Do you have any idea ?

Many thanks

Badger · July 23, 2021, 5:24pm

You could try

%{WORD:user}@?%{NOTSPACE:domain}?

gringorion · July 23, 2021, 7:13pm

I knew it was a great idea to post here.
Badger, I think I owe you a beer!

thanks a lot !

system · August 20, 2021, 7:14pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Extract domain from field Logstash	4	777	November 2, 2018
Parsing an existing field further Logstash	6	389	September 10, 2021
Grok Regex - Captured and Non-Captured Groups Logstash	3	3781	July 6, 2017
Parsing log with "@" as token Logstash	3	616	July 6, 2017
Split field in elastic Logstash	7	284	July 15, 2021